Congressional Security

We must protect Congress as an institution and the people employed there while ensuring the institution is open to the public.

Our politics are getting more violent and there are always-present concerns about surveillance.  There is much we can do to ensure Congress is both secure and open to the public, and that starts with smart policies on these issues.

Capitol Security

We’re focused on ensuring that the US Capitol complex is safe for lawmakers to conduct government business and for the public to communicate with their elected representatives.

The Capitol complex cannot become a green zone where only a select few are allowed to enter. Nor can the model of security employed for the White House be employed within the Legislative branch. It is possible to balance these needs.

US Capitol Police

Long before the January 6 insurrection brought public scrutiny to the US Capitol Police (USCP), we’d conducted years of research on the agency’s notable lack of accountability and sounded the alarm on its failings. When the insurrection struck, we provided data and analysis that informed news coverage and highlighted the Capitol Police’s failure to protect Congress.

We are seriously concerned that Congress and its security forces were and continue to be unprepared for an attack on the Capitol. While the Capitol Police is extraordinarily well-funded, it is not a trustworthy steward of that investment, rife with poor leadership and a lack of accountability structures.

Our Capitol Alert report found that the USCP has either failed to comply with or has slow-walked implementing several reform directives from Congress and recommendations by the Government Accountability Office (GAO), all aimed at improving the agency’s accountability.

Structural problems with the leadership and oversight of the USCP create a fundamental risk to the safety of Congress, which cannot be resolved by throwing money at the problem. The only way for the Capitol Police to become an effective security force is for the agency to be rebuilt with a new leadership structure and a system of transparency and accountability guided by solid metrics to help evaluate and prepare for threats against members, staff, and the Capitol complex.

Through congressional testimony, coalition letters, and appropriations recommendations, we lead the effort to make the Capitol Police accountable and urge Congress to prioritize these reforms:

1. Making USCP Inspector General reports available to the public
2. Developing a FOIA-like process so that the public can access USCP records
3. Restructuring the USCP Board to eliminate conflicts of interest and encourage oversight
4. Creating an independent oversight Board

Beyond that, the Capitol Police should provide threat assessment reports to each individual member of Congress and disclose aggregate reports quarterly concerning threats to members of Congress and their staff.

Congressional appropriators have directed the Capitol Police to publish its IG reports and heeded our call to develop a FOIA-like process for information sharing. But the USCP is still delinquent on both reforms. To make sure it had no excuse to keep dragging its feet on public records, we went ahead and drafted model FOIA-like regulations.

In 2022, these efforts continued and we were called as a witness on behalf of the Republicans before the House Administration Committee on the failures inside the Capitol Police.

We continue to call for US Capitol Police accountability to keep Congress safe. You can follow our work by subscribing to our First Branch Forecast newsletter.

Cybersecurity

There is no Congress-wide effort to address cybersecurity. It is unclear the extent to which everyone connected to Congress — all personal, committee, and leadership offices, plus support offices and agencies — are following basic precautions, such as being on secure devices that are up-to-date, using two-factor authentication, and using password managers.

Congress should consider providing or subsidizing the use of such tools, or at a minimum train staff and members on their importance and how to use them.

We also recommend Congress to:

• make available a hardware authentication device, such as a Yubikey, to every person employed by or contracting with Congress who uses a computer inside the congressional network;
• require encryption-by-default on all official work devices;
• formally assert speech or debate clause protection over information owned or used by congressional offices but stored in the cloud; and
• encourage secure, encrypted communications among legislative support agencies.

And given the decentralized nature of Congress, the additional need to work remotely in times of emergency, and the dangers that arise from having non-official people on the Capitol campus, we’ve called for a Congress-wide cybersecurity entity that is provided appropriate authority to direct and sufficient funds to implement cybersecurity best practices.